Atlas Associates
ARCHITECTURE

สถาปัตยกรรมทางเทคนิค

Flutter ข้ามแพลตฟอร์ม, Firebase แบ็คเอนด์ และ Signal Protocol E2EE พร้อมวิทยาการเข้ารหัสโพสต์ควอนตัม

02 / 06
Mesh Network · BLE Offline

อยู่นอกเครือข่าย? ยังคงเชื่อมต่อ

BLE offline P2P ทำให้บทสนทนา E2EE ของคุณยังมีชีวิตแม้อินเทอร์เน็ตและเครือข่ายมือถือล่ม เป็นทางเลือกสำรองที่แท้จริงสำหรับภัยพิบัติ การเซ็นเซอร์ และโครงสร้างพื้นฐานที่รับภาระเกิน

NO INTERNET. NO PROBLEM.

📡 ไม่มีอินเทอร์เน็ต
🔋 BLE ACTIVE
🔒 E2EE
คุณ
A
M
K
S

สแต็คเทคโนโลยี

LayerTechnology
ClientFlutter 3.44 + Dart
State ManagementRiverpod 3.0 (AsyncNotifier / Generator)
BackendFirebase (Firestore / Auth / Storage / FCM) + GCP
PreKey ServerElixir/Phoenix (Cloud Run, europe-west1) — Firestore transaction-based atomic PreKey consumption
Mesh NetworkBridgefy BLE SDK
CryptographyArc Protocol (libsignal-client Rust FFI): PQXDH (X25519 + ML-KEM-1024), XEdDSA signatures, Sender Key (Group)
Local DatabaseHive (NoSQL, type-safe)
Key StorageFlutterSecureStorage (Keychain / Keystore / Web Crypto API)
Image CacheCachedNetworkImage

PreKey Server — Elixir/Phoenix

Dedicated server for atomic PreKey consumption during Signal Protocol session establishment. Built with Elixir/Phoenix on Cloud Run (europe-west1), optimized for EMEA users.

Elixir 1.19
Elixir 1.19
Erlang/OTP 28 · BEAM VM
Phoenix 1.8
Phoenix 1.8
API only · Bandit HTTP
Cloud Run
Cloud Run
europe-west1 · EMEA
Firestore
Firestore
REST API · eur3 multi-region
Rust (libsignal)
Rust (libsignal)
PQXDH · XEdDSA · Sender Key
Flutter 3.44
Flutter 3.44
iOS · Android · macOS · Web

ท่อส่งการเข้ารหัส E2EE

Phase 1: PQXDH (Post-Quantum Extended Diffie-Hellman)
  IKa(X25519) × SPKb(X25519) → DH1
  EKa(X25519) × IKb(X25519) → DH2
  EKa(X25519) × SPKb(X25519) → DH3
  EKa(X25519) × OPKb(X25519) → DH4
  EKa(ML-KEM-1024) → PQ encapsulate → ss_pq
  HKDF(DH1 ‖ DH2 ‖ DH3 ‖ DH4 ‖ ss_pq) → Root Key

Phase 2: Double Ratchet
  Root Key → Chain Key → Message Key (per message)
  DH Ratchet: New X25519 key pair per exchange
  Symmetric Ratchet: KDF chain for sequential messages

Phase 3: AES-256-GCM
  Message Key → AES-256-GCM encrypt(plaintext)
  12-byte random IV per message
  Authentication tag for integrity

Phase 4: AEGIS (XEdDSA Signature via libsignal)
  Sign(senderId ‖ timestamp ‖ content) → signature
  XEdDSA: Identity Key (X25519) doubles as signing key

Phase 5: Sealed Sender
  Generate ephemeral X25519 key pair
  ECDH with recipient → HKDF-SHA256 → AES key
  Encrypt(senderId ‖ ciphertext) → sealed message

Group Encryption (ECIES + AES-256-GCM)

Key Distribution (per member):
  GroupKey(AES-256) → ECIES encrypt(member.publicKey) → Firestore

Message Encryption:
  AES-256-GCM(groupKey, plaintext, AAD = senderId ‖ groupId ‖ timestamp)

Key Retrieval (fast path):
  Memory Cache → SecureStorage → Firestore ECIES decrypt

O(N) key distribution, O(1) message encryption. Each member receives the group key encrypted with their public key via ECIES. Messages are encrypted once with AES-256-GCM using Additional Authenticated Data (AAD) for integrity.

E2EE Protection Across All App States

Messages are decrypted immediately upon receipt and cached in persistent storage, ensuring E2EE protection regardless of app state — foreground, background, or terminated.

App State1:1 ChatGroup ChatMechanism
Chat screen activeStreamBuilder decrypt → LRU + SentMessageCache
Foreground (other screen)FCM pre-decrypt → SentMessageCache
Pre-session resetN/APre-decrypt before ratchet reset
Background / TerminatedSharedPreferences queue → bulk decrypt on resume

สถาปัตยกรรมหลายอุปกรณ์

Device 1 (e.g., iPhone)

  • [X25519] Identity Key
  • [Ed25519] Signing Key
  • [X25519] Signed PreKey
  • [X25519] OTPKs x 100
  • [ML-KEM-1024] PQ PreKey
  • Independent Double Ratchet sessions

Device 2 (e.g., macOS)

  • [X25519] Identity Key
  • [Ed25519] Signing Key
  • [X25519] Signed PreKey
  • [X25519] OTPKs x 100
  • [ML-KEM-1024] PQ PreKey
  • Independent Double Ratchet sessions

Device List Signing: Ed25519 signature on deviceListV1:{sorted_ids}:{timestamp} for tamper detection. No session sharing between devices.

Mesh Network (BLE ออฟไลน์ E2EE)

[Device A] ──BLE── [Device B] ──BLE── [Device C] ──Multi-hop── [Device D]
   100m radius         100m radius         100m radius
ParameterValue
Direct P2PBLE 100m radius
Multi-hopN relay x 100m
ProtocolBridgefy SDK
EncryptionX3DH + Double Ratchet + AES-256-GCM
OfflineStore & Forward queue
Use CaseDisaster, winery fields, remote areas

architecture.ondeviceTitle

architecture.ondeviceDesc

Rosetta

Offlineเร็ว ๆ นี้

architecture.rosettaDesc

  • Model: Gemma 4 (TranslateGemma)
  • Languages: 55
  • Processing: 100% on-device
  • Data leakage: zero

Pet Companion

Offlineเร็ว ๆ นี้

architecture.petDesc

  • Model: Gemma 4 (4B parameters)
  • Storage: Hive (TypeID 96-97)
  • Processing: 100% on-device
  • Server communication: none

SUM

Offlineเร็ว ๆ นี้

อัปโหลด PDF งานนำเสนอ และเอกสารเพื่อสรุปที่ขับเคลื่อนด้วย AI ข้อมูลเชิงลึก และมุมมอง — ประมวลผลบนอุปกรณ์ทั้งหมด พร้อมสรุป AI ทันทีสำหรับ URL ผ่าน Gemini ฟีเจอร์ของแผน Intelligence

  • Model: Gemma 4 (planned)
  • Input: PDF / DOCX / PPTX
  • Processing: 100% on-device
  • Plan: Intelligence
4-Pillar Vision:
  🛡️ DefenseTech     ─── Online: E2EE (PQXDH + ML-KEM-1024) + AEGIS + Sealed Sender
  📡 DisasterTech    ─── Offline: BLE Mesh + additional encryption layers
  🌍 Language Bridge ─── Offline: Gemma 4 (TranslateGemma) on-device translation
  🐾 AI Pet         ─── Offline: Gemma 4 companion, zero server communication

Model Pipeline:
  Firestore config → Download check → Ad gate → Model download → Hive cache
  User input → On-device inference (Gemma 4) → Result → No data leaves device

วงจรชีวิตคีย์ & การหมุนเวียน

Key TypeRotationPurpose
Identity Key (X25519)Account lifetimeCore identity
Signing Key (Ed25519)90 days + grace periodAEGIS message signatures
Signed PreKey (X25519)7-30 daysX3DH handshake
One-Time PreKeys (X25519)Single useForward secrecy per session
PQ PreKey (ML-KEM-1024)Account lifetimePost-quantum key encapsulation
Double Ratchet KeysPer message exchangePer-message forward secrecy